eBay

monkeyboy1-5 · ‎11-17-2018

When I sign into eBay, I receive the following message:

We’ve safely aborted connection on www.ebay.com because it was infected with

JS:Redirector-BMU [Trj].

Clearing cookies does not solve the issue.

eburtonlab · ‎11-21-2018

If you are actually being redirected, that is different than the Avast warning that other folks in this thread are discussing.

A redirection to the reimageplus site would seem to indicate you have adware or malware on your computer. Google "reimageplus redirect removal" along with your operating system type for info on steps you can take to remove the adware/malware.

cheerindigo · ‎11-23-2018

I assumed the [Trj] referred to the virus type, Trojan, not a filename suffix.

I wish the messages weren't so cryptic, but I'd guess it means Trojan, not ".TRJ" (note the capital T, lowercase rj, in the message).

cheerindigo · ‎11-23-2018

Thanks for staying on this, and demanding answers. Below is my experience, and why I suspect this may be more than just a false positive -- maybe an attempt by a malware author to make it *look* harmless, that the other virus software misses, but AVG/Avast detects, imperfectly... maybe it reports that one 'rrbundle.flat.min.js' file, but the actual redirect attempt is in a file that that file loads, like an ad? Anyway, like I say, here's my experience since last Sunday:

I got this reported by AVG a first on Nov. 18... it said it had safely aborted the connection, and scans by both AVG and Malwarebytes found nothing, so I thought I was safe. I also use AdBlock and never see ads on eBay.

But at the time it happened, I had clicked to "Contact Seller" from an item page, and after the AVG warning, eBay took me to the sign-in page even though I was already signed in, which it's never done before. There seemed to be a small Adobe Flash window that popped up in the corner of the screen quickly, then vanished. I disabled Flash on eBay, and that stopped happening, but it still takes me to the login page if I try Contact Seller (on the second page, after they attempt to provide canned answers first).

Then, yesterday, after paying for an item I'd won the night before, the item page was removed from the site, and my purchase history now has a mysterious note that says "We had to remove this listing from the site and you're not required to complete the transaction. If you've already sent payment, the sale should process as normal and you don't have anything to worry about. If you have any questions about delivery, please check tracking or contact your seller. If you run into any trouble along the way eBay is here to help. Please visit the Resolution Center to help resolve any problems you may encounter.".

I've never had that happen before, in many years of eBay across hundreds of items. I assume the page contained malware of some kind.

And about the same time, I got a phishing email pretending to be a "Your item has shipped" email, about a different item that I received days ago. But that phishing email included my actual shipping address, which makes me wonder if it was from the seller who had the item removed, who got my address from my payment. Which then of course makes me wonder if my PayPal login and payments were hacked also!

Did AVG really prevent the infection? Is there something lingering still? Is PayPal (or other logins) at risk also? For others out there, does clicking through from an item page to 'Contact Seller' (past the suggested answers, to actually try contacting), request you to sign-in even if you're already signed in? That is, is the sign-in normal activity? It didn't used to be, but maybe eBay changed it for added security. Please, try it and report what happens for you.

I've seen suggestions that this could be everything from a rootkit to a false positive. It really does not seem to be a 'false positive'. Does anyone have anything definitive? eBay doesn't seem to be of much help. I'm afraid to login, not just eBay, but anywhere, if it's 'watching'. I fear restarting my PC, if that will complete installation of anything that's lurking.

Please, eBay, come clean about what's going on. It's too easy to just say it's AVG's fault... why does it keep happening? Can you work with them, and ask them to nail down what is triggering it? Maybe it's a false positive, maybe not -- but they should be able to look at exactly what the trigger is, and make the call.

cheerindigo · ‎11-23-2018

I see a post in the Avast forums, apparently from Avast staff, posted on Nov. 19th:

"« Reply #31 on: November 19, 2018, 09:27:22 AM »

This is certainly not a false positive, the detection was triggering a redirection script.
However, as this is on ebay, I will let it pass and disable the detection, but if anyone from ebay is reading this, beware that I am strongly against this behavior!"

https://forum.avast.com/index.php?topic=219593.msg1484018#msg1484018

Which adds to the mystery. Apparently they've now disabled the detection, so nobody should be getting the notice anymore, if you have the very latest AVG/Avast? But they imply that's only because they trust eBay, because it wasn't a false positive? I wish they would elaborate, tell us where eBay was trying to redirect us.

eburtonlab · ‎11-23-2018

@cheerindigo

I would interpret that Avast staff post as claiming that their software was detecting a redirection of some sort, but not one that they considered malicious; it is likely something that eBay was doing intentionally (for a non-malicious purpose, rather than redirecting a user to a non-eBay site). Unfortunately, neither eBay nor Avast is likely to be forthcoming about the actual workings of their proprietary procedures, so we may never know exactly what was going on in this case.

cheerindigo · ‎11-23-2018

Possibly, though if so innocent, why would he be so strongly against it?

And why does eBay continue to use the redirect, even after this issue keeps popping up every few months, creating huge headaches and lessening trust of their site?

It's especially concerning on the sign-in page. Is eBay using some third-party scripts somewhere in there maybe, that shouldn't be completely trusted? I wish someone who knew java well would look at the offending code and and explain what's really going on.

eburtonlab · ‎11-23-2018

@cheerindigo

Possibly, though if so innocent, why would he be so strongly against it?

Well, if nothing else, it makes Avast/AVG look bad. And it complicates his job. If every web site did the same thing, it would be that much harder to detect truly malicious redirects. And, philosophically, "security through obscurity" is frowned upon, even though both eBay and Avast/AVG would tell you they have excellent reasons for wanting to keep their own procedures "obscure".

Disclaimer: I'm not a software guy, and I am not really in a position to say whether either company is "right" or at fault; I can say that it appears that each has their own set of incentives, which are not aligned in this case.

berserkerplanet · ‎11-23-2018

It isn't Java, it's JavaScript, I have looked at it, posted at length about it here, but it is completely obfuscated, and may be beyond my capabilities to decode.

This isn't a huge problem - it's a problem for a small subset of users who choose to use a Virus protection suite that false flags on nothing (repeatedly)

Same idea as it wasn't Microsoft's problem when AVG deleted a Windows system file in 2013 - that was all on AVG, and by extension, the user who chose to use AVG.

Yes, it would be nice if eBay and AVG took charge, but eBay is keeping mum because that file is what I believe to be part of some sort of anti-bot framework that eBay doesn't want publicized (the more known about it the easier for the bot makers to bypass it), and Avast isn't going to publicly admit they screwed up again. What should be happeneing is that eBay should work with Avast/AVG to incorporate an exclusion for that detection in the defs and heuristics.

I already told you people how to completely remove the "threat" - use an adblocker with the following rule, and the file never loads at all (Adblock Plus intercepts the page call for the file and aborts it), and therefore doesn't cause Avast/AVG to cry wolf:

ebay.com/rdr/js/s/*$domain=ebay.com

Better yet, get an Antivirus that works (80+ other antivirus engines see no problem and I tend to believe them)

I haven't run any active antivirus for a few years, when I did I saw maybe 5 warnings (that all turned out to be wrong), while running AV never saw an infected file on my machine (although the AV suites kept trying to delete hundreds of my utilities they called trojans which they were not), and I have never gotten infected (one benign toolbar installed in Internet Explorer 20+ years ago)

Before I dove into this issue and started blocking the eBay Roboradar framework I saw no odd behavior, and no redirects (my second 24" monitor is half full of firewall monitors and I see every outbound connection this machine makes out of the corner of my eye)

I will look at https://www.ebay.com/rdr/js/s/rrbundle.flat.min.js again, and see what I can see, but I'll tell you now there is nothing malicious there.